Merge branch 'master' of github.com:MISP/misp-book

.gitignore

@@ -1,2 +1,13 @@
+# Temp md files
 *.md~
+
+# Compiled assets
 book.pdf
+book.epub
+book.mobi
+
+# Compiled book
+_book
+
+# node foo
+node_modules

administration/README.md

@@ -208,7 +208,6 @@ Since version 2.3, MISP has a settings and diagnostics tool that allows site-adm
 ### Server settings and diagnostics
 
 
-
 ![Server settings overview with all of the tabs explained.](figures/settings_1.png)
 
 The settings and diagnostics tool is split up into several aspects, all accessible via the tabs on top of the tool. For any unset or incorrectly set setting, or failed diagnostic a number next to the tab name will indicate the number and severity of the issues. If the number is written with a red font, it means that the issue is critical. First, let's look at the various tabs:
@@ -422,6 +421,46 @@ Apart from off-loading long-lasting jobs to the background workers, there is a s
 
 ### Various administration tips & tricks
 
+
+#### Setting a Publish Alert Filter
+
+To regulate the reception of e-mail from MISP it is possible to create filters. Each individual user account can apply such filter.
+
+The filter can be configured by the user but also by the organization administrator.
+
+After login goto Administration -> Set User Setting:
+
+![Set User settings](figures/setUserSetting.png)
+
+A new screen appears. Make sure the “Setting” drop down box shows “publish_alert_filter”:
+
+![Set User settings](figures/setUserSetting2.png)
+
+The text field “Value” contains the filter, which needs to be provided in JSON format. Important JSON-objects which can be used here go by the name AND”, “OR” and “NOT”. These should be structured in a logical tree.
+
+The filtering can be applied to tags or to a publishing organization.
+
+In the following example, all notifications will be filtered which carry ‘tlp.white’ and ‘tlp.green’ in the name of the tag:
+
+```
+{
+
+    "NOT": {
+
+        "Tag.name" : [ "tlp.white", "tlp.green" ]
+
+    }
+
+}
+```
+
+The publish_alert_filter setting allows one filter definition to be active.
+
+After applying the configuration, the filter will show up in the “My Settings” menu:
+
+![Set User settings](figures/setUserSetting3.png)
+
+
 #### Default sharing level
 
 Choose your default sharing level to match your usage scenario for MISP. The setting is named *default_event_distribution* and the values can be:

appendices/README.md

@@ -233,6 +233,7 @@ This section lists the projects that can be found on the main [MISP GitHub](http
 | Project | Description | Status |
 | -- | -- | -- |
 | [misp-objects](https://github.com/MISP/misp-objects) | Definition, description and relationship types of MISP objects | Core to MISP, frequently updated and tested |
+| [Best Practices in ThreatIntel](https://github.com/MISP/best-practices-in-threat-intelligence) | Best practices in threat intelligence | Book available here: https://www.misp-project.org/best-practices-in-threat-intelligence.html |
 
 <!--
 | []() |  | Core to MISP, frequently updated and tested |
@@ -305,7 +306,6 @@ This section lists some projects we know of but not officially support and rely
 
 A brief list of online ressources that around #ThreatIntel
 
-* [Curated list of awesome cybersecurity companies and solutions.](https://github.com/Annsec/awesome-cybersecurity/blob/master/README.md) (Updated April 2017)
 * [A curated list of awesome malware analysis tools and resources](https://github.com/rshipp/awesome-malware-analysis/blob/master/README.md). Inspired by [awesome-python](https://github.com/vinta/awesome-python) and [awesome-php](https://github.com/ziadoz/awesome-php).
 * [An authoritative list of awesome devsecops tools with the help from community experiments and contributions](https://github.com/devsecops/awesome-devsecops/blob/master/README.md).[DEV.SEC.OPS](http://devsecops.org)
 * [Advance Python IoC extractor](https://github.com/InQuest/python-iocextract)

book-convention/README.md

@@ -22,7 +22,7 @@ All the screenshots and examples are in English.
 ## CoC
 
 The same code of conduct applies to this book as for the main MISP project.
-As a book can some times be considered the inadvertent sould of a piece of software, please take good care and consideration of our `Code of Conduct`. The CoC [can be read here](https://github.com/MISP/MISP/blob/2.4/code_of_conduct.md).
+As a book can some times be considered the inadvertent soul of a piece of software, please take good care and consideration of our `Code of Conduct`. The CoC [can be read here](https://github.com/MISP/MISP/blob/2.4/code_of_conduct.md).
 
 ## Example install
 

using-the-system/README.md

@@ -89,7 +89,7 @@ Sharing groups consist of the following elements, each of which has its own page
 ![The servers tab of the sharing group tool](figures/sgpage3.png)
 
 *  **Servers:** The third page of the tool describes the MISP instances the data marked with the given sharing group are allowed to be synchronised with. Keep in mind that any user that can view an event on a given instance will have the right to pull the event to their home instance, as they are part of the sharing group, however the organisation distribution list will still apply.
-  *  **Enable roaming mode:** This setting will disable the server list and rely purely ont he organisation list to distribute the data. If a sync connection's host organisation is in the organisation distribution list the instance becomes eligible for synchronising the data marked with the sharing group. Generally this carries a slightly higher risk as it relies on administrators correctly setting up the host organisation settings, but it removes the need to know the specific instance urls where the event/attribute should flow.
+  *  **Enable roaming mode:** This setting will disable the server list and rely purely on the organisation list to distribute the data. If a sync connection's host organisation is in the organisation distribution list the instance becomes eligible for synchronising the data marked with the sharing group. Generally this carries a slightly higher risk as it relies on administrators correctly setting up the host organisation settings, but it removes the need to know the specific instance urls where the event/attribute should flow.
   *  **Add instance:** Add an instance to the distribution list from the sync instances set up under sync actions -> servers
   *  **All orgs:** Checking this checkmark will automatically include all organisations on the given instance in the sharing group. This means that in order to exchange with all users of a linked community, one does not need to know every organisation residing on the instance. This also means that the distribution list will not include the organisation names, which can be interesting for certain privacy sensitive communities.
 
@@ -112,7 +112,7 @@ Templates are devided into sections, with each section having a title and a desc
 *  **Field**: The name of the field along with an indication if the field is mandatory.
 *  **Description**: A short description of the field.
 *  **Types**: The value(s) that are valid for the field. In the case of several types being shown here, you can enter value(s) matching any one of the types, or in the case of a batch import field, any mixture of the given types.
-*  **Text field**: This field can either be a single line textfield or a multi-line text area. For the former, enter a single value of the above indicated type, whilst for the latter you cna paste a list of values separated by line-breaks.
+*  **Text field**: This field can either be a single line textfield or a multi-line text area. For the former, enter a single value of the above indicated type, whilst for the latter you can paste a list of values separated by line-breaks.
 
 ### Freetext Import Tool